An overview of the impact of recent amendments to the HIPAA Privacy Rule: Compliance deadlines and key changes for healthcare providers

For the first time in over a decade, substantive changes have been made to the HIPAA Privacy Rule.  The HIPAA Privacy Rule To Support Reproductive Health Care Privacy became effective on June 25, 2024.  Although the compliance deadlines for this new rule are months (or longer) away, providers should begin assessing how they are going to comply with the new requirements.  Several of the changes will significantly impact medical practices that provide reproductive health care services or offer substance use disorder treatment, and a smaller number of changes will affect all HIPAA covered entities.

When is compliance with these changes required?

While all the changes implemented by the new regulations are now effective, the deadline for compliance varies depending on how the amendments impact a particular medical practice.   Any practice generating or maintaining reproductive health care records, which is discussed in more detail below, must comply with certain aspects of the new rule by December 23, 2024.  For all other practices, including those that may provide substance use disorder treatment, there is more time to prepare, as the compliance date for those regulations is not until February 16, 2026.  However, because the new rules are now in effect, medical practices should have a planned timeline for revising policies and procedures, creating forms, and perhaps even implementing new technology to support the new or revised regulations. Of course, there is no need to wait until the compliance deadlines to implement these changes.

Changes impacting all providers

For all practices, the notice of privacy practices (NPP) form will need to be revised to include a statement like the one required on protected health information (PHI) disclosure authorization forms, adequate to put patients on notice of the potential that any PHI disclosed according to the Privacy Rule is subject to redisclosure by the recipient and no longer protected by HIPAA.  Additionally, as discussed in more detail below, providers must also modify their NPP to address prohibitions on uses and disclosures of reproductive health care records and when valid attestations are now required.  Finally, any providers creating or maintaining substance use disorder treatment records should review the information below pertaining to required NPP content changes.

Changes impacting providers creating or maintaining reproductive health care records

The Privacy Rule now includes new provisions regarding reproductive health care records. According to the new rule, reproductive health care is “health care that affects the health of an individual in all matters related to the reproductive system and its functions and processes.”[1]  Importantly, this definition is not expressly limited to gynecology or obstetrics, and could encompass various healthcare settings, such as urology and primary care.  Furthermore, for Privacy Rule applicability, the scope of reproductive health care information is effectively expanded further to include activities like expressing interest in, using, performing, furnishing, paying for, disseminating information about, arranging, insuring, administering, authorizing, providing coverage for, approving, counseling about, assisting, or taking any action to engage in reproductive health care.[2] For instance, this could potentially include a patient seeking advice on contraception, a doctor performing a hysterectomy, or a clinic providing information on fertility treatments. This means that any healthcare provider or organization with records related to these types of activities must be aware of these new obligations.

The new rule specifies that a HIPAA covered entity cannot use or disclose protected health information for the following activities:

1. Conducting a criminal, civil, or administrative investigation into any individual for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
2. Imposing criminal, civil, or administrative liability on any individual for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.
3. Identifying any individual for the purposes described in (1) or (2) above.

The above prohibitions on sharing PHI exists when the covered entity or business associate has reasonably determined that one or more of the following conditions exist:

1. The reproductive health care is lawful under the state law in which it is provided and the circumstances in which it is provided.
2. The reproductive health care is protected, required, or authorized by federal law, including the United States Constitution, under the circumstances in which it is provided, regardless of the state in which it is provided.
3. The covered entity has no actual knowledge the health care provided by another person was unlawful, nor has the covered entity been supplied with information by the person making the request to demonstrate that the care provided by another was unlawful.

A new mechanism is introduced with these new rules. For the first time, the HIPAA Privacy Rule requires an attestation for specific uses and disclosures of protected health information to individuals or organizations outside of covered entities or business associates. There are many specific requirements for an attestation to be valid, but in summary, an attestation must accompany any request to disclose reproductive health care PHI for health oversight activities, judicial and administrative proceedings such as in response to subpoenas, law enforcement purposes, or to coroners and medical examiners.[3] The attestation must be free of any errors, written in plain language, and include specific information such as a description of the requested information, the name of the person or organization who are requested to make the use or disclosure, the name of the person or organization to whom the covered entity is to make the requested use or disclosure, and a clear statement that the request is not being made for a purpose prohibited under the amended Privacy Rule.  The attestation must also include a warning about potential criminal penalties for unauthorized disclosure of health information. The attestation must be signed and dated by the person requesting the information, and if signed by a representative, the representative’s authority must be provided.  For example, unless accompanied by a valid attestation, no PHI potentially related to reproductive health care may be disclosed in response to a medical records subpoena, which are commonly issued in lawsuits involving personal injuries.[4]  Conversely, reproductive health care records requested by another provider for treatment purposes are not required to have an attestation.[5]

Changes impacting providers creating or maintaining substance use disorder treatment records

The updated HIPAA rule introduces significant changes for providers who create or maintain records related to substance use disorder (SUD) treatment. These regulations apply to any covered entity maintaining SUD records subject to federal confidentiality protection, namely 42 CFR Part 2 (Part 2), regardless of whether the records were created by the medical practice or the records were received from another organization.  It’s important to note that many changes to Part 2 have also been made.  While those recent changes are beyond the scope of this article, the Privacy Rule amendments address some of the corresponding modifications in the Part 2 regulations.  A goal of the new HIPAA provisions is to align the confidentiality rules in Part 2 with the HIPAA Privacy Rule to facilitate the disclosure of SUD records, especially for treatment purposes.

One significant change is the provision of a notice of privacy practices to individuals whose records are related to SUD treatment. These individuals are now entitled to receive information about the uses and disclosure of their SUD records.  New content requirements for NPP apply to covered entities maintaining SUD records protected by federal confidentiality laws. If a use or disclosure is prohibited or limited by another applicable law, such as Part 2, the description of how the information is used or disclosed, including restrictions on those uses and disclosures, must align with the more stringent law. The description for each purpose for which SUD records may be used or disclosed must include enough detail to inform individuals about permitted or required uses and disclosures as defined in this subpart and other applicable laws, such as Part 2.

If the medical practice receives SUD treatment records from providers subject to Part 2, or receives testimony relaying the content of such records, notice shall be provided in the NPP that such information will not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the patient unless the patient gives written consent, or a court order with a proper subpoena after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in the Part 2 regulations.  Additionally, if a covered entity intends to participate in fundraising using SUD records subject to Part 2, notice must be provided in the NPP that individuals must be allowed to opt out of receiving fundraising communications.

All HIPAA covered entities are impacted to some degree by the recent amendments to the Privacy Rule, which became effective in June 2024.  The degree of policy and operational modifications required, as well as the deadline for complying with the regulatory changes, will depend in large part on the nature of services your medical practice provides to patients, as well as the type of records maintained by your medical practice. Now is the time to assess, based on the unique operations of your medical practice, what is needed to comply, as well as to develop a plan for meeting the applicable compliance deadlines.

If you have questions about HIPAA, cybersecurity, or access to these resources, call 800-342-2239 or email ContactSVMIC@svmic.com.

If you experience a cybersecurity or other HIPAA related incident, contact SVMIC as soon as possible by calling 800-342-2239 and ask to speak with the Claims department.

Other individuals in your organization may benefit from these articles and resources, such as your administrator, privacy or security officer, or information technology professional. They can sign up for a Vantage account here.

[1].  45 CFR § 160.103.

[2].  45 CFR § 164.502(a)(5)(iii).

[3].  45 CFR § 164.509.

[4].  Unless contrary guidance is released, any medical practice that maintains PHI potentially related to reproductive health care should consider requiring a valid attestation for any use or disclosure requiring one.  Otherwise, every time such a request is received, the medical practice would have to do a page-by-page review to determine whether or not there are any reproductive health care records in the designated record set for an individual whose records are requested by means which require an accompanying valid attestation.

[5].  Regardless whether or not an attestation is required for a particular use or disclosure scenario, the new general prohibitions on improper uses and disclosures of reproductive health care information applies in any use of disclosure circumstances.